Re: [libvirt] [libvirt PATCH] support continue/return targets in nwfilter

Eric, Thanks -- looks good to me. "return" is useful for doing multiple chains on one packet -- "drop" if it isn't acceptable and "return" to do further checks in other chains for the acceptable ones. The current fixed-set of protocol chains are mutually exclusive which makes "return" not very interesting. It'll be very useful with user-defined chains, a separate MAC address chain that does protocol checks on the same packet after, or a separate IP source address chain to do multiple address checks before other port or higher protocol checks. Patches for at least one of these should go in soon I expect and that will allow a nontrivial example for the documentation. With the current chains, a "return" will just get you to a "drop" or "accept" in the caller without any further checks on the same packet, so a "return" example with existing chains would be artificial. I'll do an example when one of the above use cases is in: probably best to leave it at what you have now until then. +-DLS